Commenting update

As some of my visitors have noticed, there have been some problems submitting comments around here. The preview form would remove your carefully input character entities/references, double hyphens were converted to em dashes, etc.

I finally got around to figuring out how to prevent the comment preview from ruining your work. You can still markup your comment with Markdown syntax though.

However, the ever increasing comment spamming has forced me to implement some countermeasures that require your browser to have referrer logging enabled. If you have that turned off, you won’t be able to post comments, something for which I am really sorry. If you can think of a clever workaround that will let legitimate commenters access the commenting scripts while keeping the trash out, please let me know.

Posted on January 20, 2005 in Movable Type, Quicklinks

Comments

  1. January 20, 2005 by Arve

    You aren’t saying which version of MT you are running, but all my advice needs MT3.0 or above.

    1. I presume you already have MT-Blacklist 2.04 installed? I have found that the moderation is indispensible. If something is spam, it stops in my moderation queue, and it takes me only two clicks to get rid of it.
    2. If you haven’t installed it already, I’d suggest trying either mt-dsbl or mt-proxyplug — both these plugins disable commenting through open proxies of some sort, and the majority of spam is indeed sent through proxies.
    3. Try implementing the Burningbird comment spam quick fix — basically: Create a hidden form field, with a custom name and a custom value. Check if the submitted forms contain this name-value pair, and if not, return a 403 error.

    Myself, I am using only options 1 and 2, and I have not yet have a spam get further than the moderation

  2. January 20, 2005 by Arve

    BTW, I am being redirected to the wrong URI when commenting. My last submission sent me to #2651 instead of #comment2651.

  3. January 21, 2005 by Roger Johansson (Author comment)

    Thanks for the tips. I’m still using MT 2.65, so I can’t do everything you suggest. I do have MT-Blacklist, and it catches most spam, but not all of it. I’m using option 3, but that only works for a week or so after I change the name-value pair.

    By far the most effective thing I’ve done is the referrer check. Not a single automated spam has even reached MT-Blacklist since I implemented it.

    Thanks for informing me of the redirect problem. I hadn’t even noticed. I’ll try to fix that ASAP.

  4. January 21, 2005 by Mark Wubben

    Roger, perhaps you could make the posting guidelines a fold out area or something like that. When looking for new comments I usually go to the bottom of the page, but then the guidelines are in the way from seeing the latest comment.

  5. January 21, 2005 by Arve

    Thanks for the tips. I’m still using MT 2.65, so I can’t do everything you suggest.

    Let me just say that the $99.95 I spent on MT3 was the best $99.95 I have spent on weblogging. Not only for blacklist and mt-dsbl, but because MT3 has a far more usable interface.

  6. January 21, 2005 by Roger Johansson (Author comment)

    Mark: I’ll look into doing that.

    Arve: Yeah upgrading would probably be a good idea. I’m still on 2.65 because I read about a lot of people having problems with early releases of MT 3, and right now I don’t have the time for anything but a smooth and hassle-free upgrade.

  7. January 21, 2005 by Arve

    I had no problems whatsoever when I installed 3.14. From earlier experiences with hassle-free updates, I use the following approach:

    1. I always download both the full version and the upgrade version.
    2. I always run mt-check.cgi from the new version prior to installation. Also run mt-testbg.cgi to check if you can run background tasks.
    3. I uninstalled MT-Blacklist.
    4. I then install the full version instead of the upgrade, to ensure that everything in the lib and extlib directories are the current versions.
    5. Modify mt.cfg as needed: There are a few new options, mainly to run background tasks and enable TypeKey authentication. Looking at the default config file that came with the full install should give out enough clues as to what you need to add to your old mt.cfg
    6. I copy the required upgrade scripts from the upgrade download, and run them. You will have to run both mt-upgrade
    7. Prior to upgrading to Movable Type 3.14, I had a somewhat hacked version of MT2.65; in particular using Sean Willson’s mt-rebuild type mod. Since the MT Rebuild type mod changed what in MT3.14 is known as “Rebuild this template automatically when rebuilding index templates” to “No”, I had to set this for the various rebuild templates.
    8. Install the new MT-Blacklist. Install mt-dsbl
    9. Set up the cron job for Movable Type. This ensures that the blacklist stays up to date.
    10. You might also want to create your own templates for the new default templates, in particular the “Comment pending” template. (I haven’t actually performed this step myself)
  8. January 21, 2005 by Roger Johansson (Author comment)

    Arve: Thanks for the step-by-step instructions. I’ll give it a shot when I feel I have a day to spare just in case something goes wrong - hopefully in a couple of weeks or so.

  9. February 9, 2005 by Patrys

    As for comment spam, the following scheme seems to be working flawlessly for me for a long time: a live example.

    It basically makes sure noone ever tries to bypass the preview box by calculating a simple hash for entered data and sending it along with the preview form. If the hash does not match the values entered, the user is being sent back to the preview form.

    It was implemented in PHP and the example reference linked above uses a very simple hashing mechanism. For real use you should also hash stuff like current number of comments or current blog post ID.

Comments are disabled for this post (read why), but if you have spotted an error or have additional info that you think should be in this post, feel free to contact me.